Remote Logging with Syslog¶
The Remote Logging options under Status > System Logs on the Settings tab allow syslog to copy log entries to a remote server.
The logs kept by pfSense on the firewall itself are of a finite size and they are cleared on reboot on NanoBSD. Copying these entries to a syslog server can aid troubleshooting and enable long-term monitoring. Having a remote copy can also help diagnose events that occur before a firewall restarts or after they would have otherwise been lost due to clearing of the logs or when older entries are cycled out of the log, and in cases when local storage has failed but the network remains active.
Corporate or local legislative policies may dictate the length of time logs must be retained from firewalls and similar devices. If an organization requires long-term log retention for their own or government purposes, a remote syslog server is required to receive and retain these logs.
To start logging remotely:
Navigate to Status > System Logs on the Settings tab
Check Send log messages to remote syslog server
Configure the options as follows:
- Source Address
Controls where the
syslogdaemon binds for sending out messages. In most cases, the default (Any) is the best option, so the firewall will use the address nearest the target. If the destination server is across an IPsec VPN, however, choosing an interface or Virtual IP address inside the local Phase 2 network will allow the log messages to flow properly over a tunnel.
- IP Protocol
When choosing an interface for the Source Address, this option gives the
syslogdaemon a preference for either using IPv4 or IPv6, depending on which is available. If there is no matching address for the selected type, the other type is used instead.
- Remote Log Servers
Enter up to three remote servers using the boxes contained in this section. Each remote server can use either an IP address or hostname, and an optional port number. If the port is not specified, the default syslogd port,
514, is assumed.
A syslog server is typically a server that is directly reachable from the pfSense firewall on a local interface. Logging can also be sent to a server across a VPN.
Do not send log data directly across any WAN connection or unencrypted site-to-site link, as it is plain text and could contain sensitive information.
- Remote Syslog Contents
The options in this section control which log messages will be sent to the remote log server.
When set, all log messages from all areas are sent to the server.
- System Events
Main system log messages that do not fall into other categories.
- Firewall Events
Firewall log messages in raw format. The format of the raw log is covered on the documentation wiki article on the Filter Log Format
- DNS Events
Messages from the DNS Resolver (
unbound), DNS Forwarder (
dnsmasq), and from the
filterdnsdaemon which periodically resolves hostnames in aliases.
- DHCP Events
Messages from the IPv4 and IPv6 DHCP daemons, relay agents, and clients.
- PPP Events
Messages from PPP WAN clients (PPPoE, L2TP, PPTP)
- Captive Portal Events
Messages from the Captive Portal system, typically authentication messages and errors.
- VPN Events
Messages from VPN daemons such as IPsec and OpenVPN, as well as the L2TP server and PPPoE server.
- Gateway Monitor Events
Messages from the gateway monitoring daemon,
- Routing Daemon Events
Routing-related messages such as UPnP/NAT-PMP, IPv6 routing advertisements, and routing daemons from packages like OSPF, BGP, and RIP.
- Server Load Balancer Events
relaydwhich handles server load balancing.
- Network Time Protocol Events
Messages from the NTP daemon and client.
- Wireless Events
Messages from the Wireless AP daemon,
Click Save to store the changes.
If a syslog server is not already available, it is fairly easy to set one up. See Syslog Server on Windows with Kiwi Syslog for information on setting up Kiwi Syslog on Windows. Almost any UNIX or UNIX-like system can be used as a syslog server. FreeBSD is described in the following section, but others may be similar.
Configuring a Syslog Server on FreeBSD¶
Setting up a syslog server on a FreeBSD server requires only a couple steps. In
this example, replace
192.168.1.1 with the IP address of the firewall,
exco-rtr with the hostname of the firewall, and replace
exco-rtr.example.com with the full hostname and domain of the firewall. This
192.168.1.1 because the best practice is to send syslog
messages using the internal address of a firewall, not a WAN interface.
These changes must all be made on the syslog server, not on the firewall.
First, the firewall will likely need an entry in
/etc/hosts containing the
address and name of the firewall:
192.168.1.1 exco-rtr exco-rtr.example.com
Then adjust the startup flags for
syslogd to accept syslog messages from the
/etc/rc.conf and add this line if it does not exist, or add
this option to the existing line for the setting:
syslogd_flags=" -a 192.168.1.1"
Lastly, add lines to
/etc/syslog.conf to catch log entries from this host.
Underneath any other existing entries, add the following lines:
!* +* +exco-rtr *.* /var/log/exco-rtr.log
Those lines will reset the program and host filters, then set a
host filter for this firewall using the short name as entered in
/etc/syslog.conf on the pfSense firewall for ideas about
filtering the logs for various services into separate log files on the syslog
After these changes,
syslogd must be restarted . On FreeBSD this
is one simple command:
# service syslogd restart
Now look at the log file on the syslog server and if the configuration is correct, it will be populating the logs with entries as activity happens on the firewall.